Four popular VS Code extensions with 125M+ installs contain critical vulnerabilities allowing file theft and remote code execution, with three still unpatched.
Cybersecurity researchers have uncovered critical security flaws in four widely-used Microsoft Visual Studio Code extensions that collectively have been installed more than 125 million times, potentially exposing millions of developers to file theft and remote code execution attacks.
The Vulnerable Extensions
The affected extensions include:
- Live Server - A popular local development server extension
- Code Runner - A tool for running code snippets in various languages
- Markdown Preview Enhanced - A markdown preview and export extension
- Microsoft Live Preview - Microsoft's official preview extension
Vulnerability Details
CVE-2025-65717 - Live Server (CVSS 9.1)
This critical vulnerability allows attackers to exfiltrate local files by tricking developers into visiting malicious websites while the extension is running. The attack exploits the local development HTTP server that runs on localhost:5500, enabling JavaScript embedded in malicious pages to crawl and extract files from the local server and transmit them to attacker-controlled domains.
CVE-2025-65716 - Markdown Preview Enhanced (CVSS 8.8)
This high-severity flaw enables arbitrary JavaScript code execution through crafted markdown (.md) files. Attackers can upload malicious markdown files that allow local port enumeration and data exfiltration to domains under their control.
CVE-2025-65715 - Code Runner (CVSS 7.8)
This vulnerability permits arbitrary code execution by convincing users to modify their "settings.json" file through phishing or social engineering attacks.
Microsoft Live Preview
While this extension also contains a vulnerability allowing access to sensitive files through malicious website visits, Microsoft has already silently patched this issue in version 0.4.16 released in September 2025.
Security Implications
OX Security researchers Moshe Siman Tov Bustan and Nir Zadok emphasized the severity of these findings: "Our research demonstrates that a hacker needs only one malicious extension, or a single vulnerability within one extension, to perform lateral movement and compromise entire organizations."
These vulnerabilities highlight the risks associated with third-party development tools and the potential for supply chain attacks targeting software development environments.
Protection Recommendations
To secure your development environment against these and similar threats:
- Avoid untrusted configurations - Be cautious about applying settings from unknown sources
- Disable or uninstall non-essential extensions - Reduce your attack surface
- Harden local network security - Use firewalls to restrict inbound and outbound connections
- Keep extensions updated - Regularly check for and install security patches
- Turn off localhost services when not in use - Minimize exposure windows
Expert Analysis
OX Security emphasized the broader implications: "Poorly written extensions, overly permissive extensions, or malicious ones can execute code, modify files, and allow attackers to take over a machine and exfiltrate information."
They added that "keeping vulnerable extensions installed on a machine is an immediate threat to an organization's security posture: it may take only one click, or a downloaded repository, to compromise everything."
Current Status
As of publication, three of the four vulnerabilities remain unpatched. Developers using these extensions should consider immediate mitigation steps while waiting for official fixes.
The discovery underscores the critical importance of security in development tools and the need for rigorous vetting of third-party extensions in software development environments.
Comments
Please log in or register to join the discussion